Bug 207907

Summary: Relabel has problem with bind mounts
Product: Red Hat Enterprise Linux 4 Reporter: Peter Bieringer <pb>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-29 14:48:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Bieringer 2006-09-25 10:38:17 UTC 
Description of problem:
A system which has too less disk space on / uses a bind mount for e.g.
/var/spool/squid. After trying to enable selinux many warnings were seen. They
did not go away after relabling. I believe, this is caused by the bind mount

Version-Release number of selected component (if applicable):
policycoreutils-1.18.1-4.9


How reproducible:
After each relabel

Steps to Reproduce:
# grep squid /etc/fstab
/mnt/extra/var/spool/squid      /var/spool/squid        ext3    bind    0 0

# mount | grep squid
/mnt/extra/var/spool/squid on /var/spool/squid type ext3 (rw,bind)
mount

 
Actual results:
Sep 24 18:57:29 proxy kernel: audit(1159117049.188:30): avc:  denied  { rename }
for  pid=3917 comm="squid" name="swap.state.clean" dev=sdc1 ino=230524
scontext=user_u:system_r:squid_t tcontext=user_u:object_r:file_t tclass=file
Sep 24 18:57:29 proxy kernel: audit(1159117049.188:31): avc:  denied  { unlink }
for  pid=3917 comm="squid" name="swap.state" dev=sdc1 ino=230526
scontext=user_u:system_r:squid_t tcontext=user_u:object_r:file_t tclass=file


Expected results:
No such messages

Additional info:

Selinux is currently disabled for now, so I can't provide "ls -Z" at the moment.
Comment 1 Daniel Walsh 2006-09-25 15:57:10 UTC 
file_t indicates that there are still files on the system that are labeled
incorrectly.  What kind of file system are you bind mounting?  

You could execute 

chcon -R system_u:object_r:squid_cache_t /mnt/extra/var/spool/squid

Which should fix the problem
Comment 2 Peter Bieringer 2006-12-23 14:53:27 UTC 
Filesystem is ext3

# mount |grep extra
/dev/sdc1 on /mnt/extra type ext3 (rw)
/mnt/extra/var/cache on /var/cache type ext3 (rw,bind)
/mnt/extra/var/local on /var/local type ext3 (rw,bind)
/mnt/extra/var/spool/squid on /var/spool/squid type ext3 (rw,bind)

Looks like your workaround helped.